Safeguard
Tag

python

Safeguard articles tagged "python" — guides, analysis, and best practices for software supply chain and application security.

76 articles

Container Security

Minimal, Non-Root Docker Images for Python: A Best-Practices Guide

CVE-2019-5736 let a malicious container overwrite the host runc binary via root access. Here's how multi-stage, non-root builds close that door for Python apps.

Jul 16, 20266 min read
Application Security

Mass assignment in Python: how setattr and **kwargs turn request bodies into privilege escalation

One unguarded setattr() loop can let a JSON body set is_admin directly — the same bug class that let a researcher add his key to Rails' GitHub org in 2012.

Jul 14, 20266 min read
Application Security

Preventing XSS in Django applications

Django escapes template output by default, but mark_safe() and format_html() misuse routinely reopen the exact XSS holes auto-escaping was built to close.

Jul 14, 20266 min read
Application Security

ssl vs. requests vs. httpx: where Python TLS configuration goes wrong

Python didn't verify TLS certificates by default until PEP 476 landed in 2014 — a decade later, one stray verify=False call still reopens that exact hole.

Jul 14, 20265 min read
Application Security

How to actually implement TLS correctly in Python

One `verify=False` in a requests call disables both certificate and hostname checks — the same escape hatch PEP 476 tried to close in 2014.

Jul 12, 20265 min read
Application Security

Python linting for security hygiene: what flake8, pylint, and bandit actually catch

Bandit maps findings to CWE IDs like CWE-502 and CWE-78, but flake8 and pylint never look for a vulnerability at all — the three tools solve different problems.

Jul 12, 20266 min read
Application Security

Building an authenticated, TLS-secured WebSocket server in Python

WebSockets skip same-origin checks by default — CWE-1385 exists because of it. Here's how to build one in Python with origin checks, TLS, and rate limits.

Jul 11, 20266 min read
Security Guides

Python Dependency Scanning: A Practical Guide

Your code is a small fraction of what ships. This is how to inventory, scan, and continuously monitor the Python dependency tree that makes up the rest.

Jul 8, 20265 min read
Security Guides

Preventing SSRF in Python Applications

Server-side request forgery turns your own backend into an attacker's proxy, reaching internal services and cloud metadata endpoints you never meant to expose.

Jul 8, 20265 min read
Security Guides

PyYAML Security Guide (2026)

PyYAML is the default YAML parser for Python — and its history of arbitrary-code-execution CVEs from unsafe loading makes yaml.load() one of the most dangerous calls in the language.

Jul 8, 20265 min read
Supply Chain Attacks

Bun-compiled JS binaries as PyPI credential stealers

Two lightning releases fetched the Bun runtime at import time to run an 11MB obfuscated JS stealer — PyPI's Python trust model didn't expect a JS binary.

Jul 8, 20266 min read
Supply Chain Attacks

How malicious PyPI packages steal cloud credentials at install time

A typosquat of a 200M-download SSH library stole AWS keys from 37,000 installs — before anyone imported it. Here's the install-time attack pattern.

Jul 8, 20266 min read
python — Safeguard Blog